VMware ESXi is apparently gaining popularity among cyber attackers. In the past few months, several prominent malware operators, mostly ransomware gangs, have started targeting VMware’s hypervisor solution used by a large number of enterprises. Recently, the HelloKitty gang has been observed attacking VMware ESXi servers.

What was discovered?

HelloKitty, the notorious ransomware gang that gained popularity after targeting the Polish gaming firm CD Projekt, has joined the growing list of ransomware operators targeting VMware ESXi.
  • Researchers from MalwareHunterTeam have identified several Linux ELF64 versions of the HelloKitty ransomware, which are designed to target VMware's ESXi virtual machine platform.
  • The malware is using esxcli, ESXi's command-line management tool, to explore the machines and consequently, target them. 
  • It attempts to shut down the machines before attempting to encrypt them. This method enables attackers to encrypt several machines using a single command.
  • The files targeted by HelloKitty include .vmdk (virtual hard disk), .vmsd (metadata and snapshot information), and .vmsn (contains the active state of the VM) files.

Other groups targeting VMware ESXi

Just a few days ago, REvil ransomware authors updated their Linux malware to target VMware ESXi and NAS devices.
  • In the previous month, a builder For Babuk Locker ransomware was leaked online. This kit can be used to create new malware that can target Windows systems, ARM-based NAS devices, and VMWare ESXi servers.
  • Around the same time, DarkSide RaaS operators had released a Linux version of their malware, which could target ESXi servers.

Ending Notes

VMware ESXi servers are commonly used by enterprises to host a large number of machines. By targeting virtual machines, attackers can encrypt multiple victims with minimal effort. Therefore, it is recommended that organizations using these servers should implement high-security mode with multiple layers of security.
Cyware Publisher

Publisher

Cyware